From 825b6e208a1a86916766d94f7a787f4f1f769721 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:34:30 -0400 Subject: [PATCH 1/6] ci: scope down permissions for release.yml --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b59afd8f..120e0211 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,9 @@ on: release: types: [published] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From 370fb11d09761f3d330cf7b09d7cbf67b3e695c9 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:34:32 -0400 Subject: [PATCH 2/6] ci: scope down permissions for functional-test.yml --- .github/workflows/functional-test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/functional-test.yml b/.github/workflows/functional-test.yml index b8a22dfb..63ad2756 100644 --- a/.github/workflows/functional-test.yml +++ b/.github/workflows/functional-test.yml @@ -5,6 +5,9 @@ on: paths-ignore: - '**.md' +permissions: + contents: read + jobs: build: if: "!contains(github.event.head_commit.message, 'chore(release):')" From 4e3cd8f5def3581a08e09532d61733acc20296fa Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:34:34 -0400 Subject: [PATCH 3/6] ci: scope down permissions for auto-assign.yml --- .github/workflows/auto-assign.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/auto-assign.yml b/.github/workflows/auto-assign.yml index c32ac1fc..dcc64790 100644 --- a/.github/workflows/auto-assign.yml +++ b/.github/workflows/auto-assign.yml @@ -1,6 +1,9 @@ name: 'Auto Assign' on: pull_request +permissions: + pull-requests: write + jobs: add-reviews: runs-on: ubuntu-latest From e42c4ad2c8a8d9e552b92fc3f39c7ed746722ef5 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:34:36 -0400 Subject: [PATCH 4/6] ci: scope down permissions for functional-test-clean-up.yml --- .github/workflows/functional-test-clean-up.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/functional-test-clean-up.yml b/.github/workflows/functional-test-clean-up.yml index cc5a9729..e33ce7e3 100644 --- a/.github/workflows/functional-test-clean-up.yml +++ b/.github/workflows/functional-test-clean-up.yml @@ -5,6 +5,9 @@ on: schedule: - cron: '15 7 * * *' +permissions: + contents: read + jobs: build: From 253ec18923e7913c83b4f0feddbeb8633d35cc63 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:34:37 -0400 Subject: [PATCH 5/6] ci: scope down permissions for integration-test.yml --- .github/workflows/integration-test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml index e55be7e3..f846395b 100644 --- a/.github/workflows/integration-test.yml +++ b/.github/workflows/integration-test.yml @@ -11,6 +11,9 @@ on: paths-ignore: - '**.md' +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }} From a87f21b5576fd1e0c0a3a32fe7660d27e5ebc2dc Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 14:34:39 -0400 Subject: [PATCH 6/6] ci: scope down permissions for unit-test.yml --- .github/workflows/unit-test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml index 286f473f..c0e274cf 100644 --- a/.github/workflows/unit-test.yml +++ b/.github/workflows/unit-test.yml @@ -11,6 +11,9 @@ on: paths-ignore: - '**.md' +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }}